Thursday, May 13, 2010

Security metrics - proving you've made a difference

by Simon Biles

Simon Biles
About the Author

Simon Biles is a founder of Thinking Security Ltd., an Information Security and Risk Management consultancy firm based near Oxford in the UK.

Language is a funny thing – even though we may speak the same basic language, the nuances, construction and vocabulary is very individual. I find listening to my children a wonderful thing – sometimes I hear either my words, or those of my wife, but more often I hear distinct phrases and words that are unique to them. This month, they have challenged me, in an oft played game, to insert words that are uniquely theirs, and not mine, into this column – so, embedded somewhere in the next eight hundred or so words are two words that have been given to me – I’ll publish the name of anyone next month who can tell me which two they are!

Given that two people may interpret any given word in vastly different ways depending on their backgrounds how do we ensure there is a consensus of understanding? We operate in a field that has very definite concepts – true or false, on or off, zero or one – binary choices. There are few shades of uncertainty (all smart comments about quantum computing to /dev/null please) – it’s there or it isn’t, and unless we are called upon to give our opinions as experts, we are bound, at least ethically if not legally, to make statements of fact. I personally find it an immense problem though, that so often there are not really clear definitions of terms – or at least not clear definitions that you can easily present to a customer (or worse, a jury).

To add further problems, for me at least, I subscribe to a code of ethics that prohibits the use of “FUD” in dealing with customers (see “Fear, Uncertainty and Doubt” have to be the biggest drivers in Information Security sales as a quick survey of some major security vendors supports:

“… cyber cold war, with critical infrastructures under constant cyberattack causing widespread damage” – McAfee (fear of attack)

“Do you know where your data ends up?” – Checkpoint (uncertainty)

“Today's attackers evade traditional security solutions, leaving your business vulnerable to data theft.” – Symantec (doubt in your “traditional” solution)

Having put up these examples, I had a moment of paranoia and had to check my own website just to be sure – it really is a very easy thing to do - “pas de touché” fortunately!

So where does this leave us?


No comments: